from the urls-we-dig-up dept

If you've been reading Techdirt for a while, you probably know that we're not big fans of this myth: "If you're not paying for the product, you are the product." Regardless of whether or not you pay for something, some companies will still treat their customers horribly. Likewise, there are also some corporations that try to treat customers (or users) with respect without expectation of payment for the favor. That said, it's easy to make mistakes that get mis-interpreted when it comes to analyzing consumer behavior. An unintentional email message to a targeted (or even un-targeted) group of customers can enrage a whole community. Consumer data is available to a lot of companies, but it might be wise for these companies to tread lightly with their data scientists. Here are just a few cases that data miners might want to check out.

from the you-sure-you-want-to-go-there dept

For many years I've been a huge fan of law professor James Grimmelmann. His legal analysis on various issues is often quite valuable, and I've quoted him more than a few times. However, he's now arguing that the now infamous Facebook happiness experiment and the similarly discussed OkCupid "hook you up with someone you should hate" experiments weren't just unethical, but illegal. Grimmelmann, it should be noted, was one of the loudest voices in arguing (quite vehemently) that these experiments were horrible and dangerous, and that the academic aspect of Facebook's research violated long-standing rules.

But his new argument takes it even further, arguing not just that they were unethical, but flat out illegal, based on his reading of the Common Rule and a particular Maryland law that effectively extends the Common Rule. The Common Rule basically says that if you're doing "research involving human subjects" with federal funds, you need "informed consent" and further approval from an institutional review board (IRB), which basically all research universities have in place, who have to approve all research. The idea is to avoid seriously harmful or dangerous experiments. The Maryland law takes the Common Rule and says it applies not just to federally funded research but "all research conducted in Maryland."

To Grimmelmann, this is damning for both companies -- and basically all companies doing any research involving people in Maryland. In fact, he almost gleefully posts a letter he got back from Facebook concerning this issue and alerted the company to the Maryland law. Why so gleeful? Because Facebook's Associate General Counsel for Privacy, Edward Palmieri, repeatedly referred to what Facebook did as "research," leading Grimmelmann to play the "gotcha" card, as if that proves that Facebook's efforts were subject to that Maryland law (making it subject to the Common Rule). He further then overreacts to Palmieri, noting (accurately, in our opinion) that the Maryland law does not apply to Facebook's research as Facebook is declaring that the company "is above the law that applies to everyone else."

Except... all of that is suspect. Facebook is not claiming it is above the law that applies to everyone else. It claims that the law does not apply to it... or basically any company doing research to improve its services. Grimmelmann insists that his reading of Maryland's House Bill 917 is the only possible reading, but he may be hard pressed to find many who actually agree with that interpretation. The Common Rule's definition of "research" is fairly broad, but I don't think it's nearly as broad as Grimmelmann wants it to be. Here it is:

Research means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.

I think it's that last bit that may be problematic for Grimmelmann. It focuses on academic research "designed to develop or contribute to generalizable knowledge." That wording, while unfortunately vague, really appears to be focused on those who are doing research for the purpose of more publicly available knowledge. And while perhaps the Facebook effort touches on that, since it eventually became published research, it still seems like a stretch. Facebook wasn't doing its research for the purpose of contributing to generalizable knowledge -- but to improve the Facebook experience. Based on that, the company also shared some of that data publicly. Similarly, OkCupid's research was to improve its own services.

But under Grimmelmann's interpretation of the law, you'd have some seriously crazy results. Basic a/b testing of different website designs could be designated as illegal research without IRB approval or informed consent. I was just reading about a service that lets you put as many headlines on a blog post as you want and it automatically rotates them, trying to optimize which one gets the best results. Would that require informed consent and an IRB? Just the fact that companies call it "research" doesn't make it research under the Common Rule definition. How about a film studio taking a survey after showing a movie. The movie manipulates the emotions of the "human subjects" and then does research on their reactions. Does that require "informed consent" and an IRB?

How about a basic taste test -- Coke or Pepsi? Which do you prefer? It's research. It's developing knowledge via "human subjects." But does anyone honestly think the law for running a taste test means that any company setting up such a taste test first needs to get an IRB to approve it? The results of Grimmelmann's interpretation of the law here are nonsensical. Grimmelmann is clearly upset about the original research, and certainly there were lots of people who felt it was creepy and potentially inappropriate. But Grimmelmann's focus on actively punishing these companies is reaching obsession levels.

For one thing, many academic journals require Common Rule compliance for everything they publish, regardless of funding source. So my colleague Leslie Meltzer Henry and I wrote a letter to the journal that published the Facebook emotional manipulation study, pointing out the obvious noncompliance. For another, nothing in Facebook’s user agreement warned users they were signing up to be test subjects. So we wrote a second letter to the Federal Trade Commission, which tends to get upset when companies’ privacy policies misrepresent things. And for yet another, researchers from universities that do take federal funding can’t just escape their own Common Rule obligations by “IRB laundering” everything through a private company. So we wrote a third letter to the federal research ethics office about the Cornell IRB’s questionable review of two Cornell researchers’ collaborations with Facebook.

And that's before the letters to Facebook and OkCupid -- and, of course, to Maryland's attorney general, Doug Gansler. Of course, if Gansler actually tried to enforce such an interpretation of the law (which is not out of the question, given how quick many attorney generals are to jump on grandstanding issues that will get headlines), it would represent a very dangerous result -- one in which very basic forms of experiments and modifications in all sorts of industries (beyond just the internet) would suddenly create a risk of law-breaking. That's a result incompatible with basic common sense. Grimmelmann's response to that seems to be "but the law is the law," but that's based entirely on his stretched interpretation of that law, one that many others would likely challenge.

from the urls-we-dig-up dept

Some folks look at online dating services as a tool for meeting like-minded people (with potentially romantic engagements). But as with almost anything on the internet, there are also people out there trying to game the system and figure out how the algorithms behind the date matching systems work. (Though, sometimes the process is a bit simpler.) Just to gear up for Valentine's Day later this week, here are just a few examples of people taking online dating to an extreme.